Customizing for a proprietary syslog extension
Selecting product compatibility
To make BMC AMI Datastream compatible with the listed SIEM products, begin your testing by customizing the $$$SERVR member in your amihlq.PARM data set. The amihlq variable is the high-level qualifier that you choose during installation.
The following code shows the $$$SERVR member:
;**********************************************************************;
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2024 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.01 Updated 21 March 2024"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(AMIJSON) SIEM(AMIJSON) +
INSTNAME(Agent.AMIJSON)
OPTIONS IF(INFLUXDB) SIEM(INFLUX_DB) +
INSTNAME(Agent.INFLUXDB)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(AMIJSON) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(INFLUXDB) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(AMIJSON) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(INFLUXDB) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(SRCC) SIVSRC ; Enable Sys. Int. Src Compare
OPTIONS IF(-SRCC) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(AMIJSON) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(INFLUXDB) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(-SIV) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(AMIJSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
;OPTIONS NOSRCCMPOutput ; Disable print Src Compare output
;OPTIONS NOSRCCMPSend ; Disable send Src Compare output
;OPTIONS NOIEBCOPYcapture ; Disable capturing IEBCOPY member list
;OPTIONS KEEPEXITFirst ; Keep CZAU8x exits first before
; all other CZAU8x exits.
;OPTIONS VERIFYExit ; Verify SMF Exits haven't been
; modified. Reload if they have.
;OPTIONS SNDAGTCONFSiem ; Send Datastream configuration
; event record to SIEM
OPTIONS LIMITOVERflowmsg(10) ; Disable or limit the number of
; overflow messages CZA0301W.
;OPTIONS IF(SPM) DATABase(filepath) ; Database filepath of BMC AMI
; Security Policy Manager
; ---------------------------------------------------------------------
; Select which SMF records will be enriched with USS information
; ---------------------------------------------------------------------
OPTIONS IF(USSENRICH) USSSMF(92) ; Enrich zFS - File system activity
OPTIONS IF(USSENRICH) USSSMF(109) ; Enrich USS Syslog
OPTIONS IF(USSENRICH) USSSMF(230) ; Enrich ACF2
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; AMIJSON - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; INFLUXDB - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
; ---------------------------------------------------------------------
; KAFKA - TRANS(KAFka) Required
; ---------------------------------------------------------------------
;SERVER broker.address.example:port +
; KAFKA_SSL_Conf( + ; Optional SSL config
; ssl.keystore.location(filepath) +
; ssl.keystore.password(filepath) +
; ssl.ca.location(filepath)) +
; TOPIC(topicname ) +
; TRANS(KAFKA) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
;**********************************************************************;
; $$$SERVR: User agent parameter member for BMC AMI Datastream ;
; This is a copy of CZASERVR and made available for ;
; user modification. It will be included in CZAPARMS ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2024 BMC Software, Inc. ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.01 Updated 21 March 2024"
; Options dependent on SIEM type
OPTIONS IF(CEF) SIEM(CEF) TIMESTAMP +
INSTNAME(CEF.Agent)
OPTIONS IF(JSON) SIEM(JSON) +
INSTNAME(Agent.JSON)
OPTIONS IF(LEEF) SIEM(LEEF) TIMESTAMP +
INSTNAME(LEEF.Agent)
OPTIONS IF(RFC3164) SIEM(RFC3164) TIMESTAMP +
INSTNAME(SIEM.Agent)
OPTIONS IF(Splunk) SIEM(Splunk) TIMESTAMP +
INSTNAME(Agent.for.Splunk)
OPTIONS IF(AMIJSON) SIEM(AMIJSON) +
INSTNAME(Agent.AMIJSON)
OPTIONS IF(INFLUXDB) SIEM(INFLUX_DB) +
INSTNAME(Agent.INFLUXDB)
OPTIONS SWAP(NO) ; Recommended default is NO
;OPTIONS NONCANCELABLE ; Agent is non-cancelable
OPTIONS QUEUE64(1024) ; 1GB default
;OPTIONS IPASYNCDisable ; Disable Asynchronous IP processing
OPTIONS IF(SIV) SIVSCANNER ; Enable System Integrity Scanner
OPTIONS IF(-SIV) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(AMIJSON) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(INFLUXDB) NOSIVSCANNER ; Disable System Integrity Scanner
OPTIONS IF(USSENRICH) USSENRich ; Enable USS Privileges Enrichment
OPTIONS IF(-USSENRICH) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(AMIJSON) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(INFLUXDB) NOUSSENRich ; Disable USS Privileges Enrichment
OPTIONS IF(SRCC) SIVSRC ; Enable Sys. Int. Src Compare
OPTIONS IF(-SRCC) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(AMIJSON) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(INFLUXDB) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(-SIV) NOSIVSRC ; Disable Sys. Int. Src Compare
OPTIONS IF(Splunk) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(JSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(AMIJSON) UNIQUETAG ; Make repeating field tags unique
OPTIONS IF(IEFU86) IEFU86Enable ; Enable the IEFU86 SMF exit
;OPTIONS NOSRCCMPOutput ; Disable print Src Compare output
;OPTIONS NOSRCCMPSend ; Disable send Src Compare output
;OPTIONS NOIEBCOPYcapture ; Disable capturing IEBCOPY member list
;OPTIONS KEEPEXITFirst ; Keep CZAU8x exits first before
; all other CZAU8x exits.
;OPTIONS VERIFYExit ; Verify SMF Exits haven't been
; modified. Reload if they have.
;OPTIONS SNDAGTCONFSiem ; Send Datastream configuration
; event record to SIEM
OPTIONS LIMITOVERflowmsg(10) ; Disable or limit the number of
; overflow messages CZA0301W.
;OPTIONS IF(SPM) DATABase(filepath) ; Database filepath of BMC AMI
; Security Policy Manager
; ---------------------------------------------------------------------
; Select which SMF records will be enriched with USS information
; ---------------------------------------------------------------------
OPTIONS IF(USSENRICH) USSSMF(92) ; Enrich zFS - File system activity
OPTIONS IF(USSENRICH) USSSMF(109) ; Enrich USS Syslog
OPTIONS IF(USSENRICH) USSSMF(230) ; Enrich ACF2
; ---------------------------------------------------------------------
; Uncomment the following OPTIONS if you are connecting
; to the BMC AMI Command Center with SERVER TRANS(TCP)
; ---------------------------------------------------------------------
;OPTIONS FRAMING(OCTETCOUNT) ; Framing (LF,CR,CRLF,NULL,OCTETCOUNT)
; ---------------------------------------------------------------------
; You must uncomment (remove the semi-colon(;)) from one of the SERVER
; statements below
; ---------------------------------------------------------------------
; ---------------------------------------------------------------------
; RFC3164
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(UDP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; CEF - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; JSON - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; LEEF - TRANS(TCP) Required by QRadar
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(2000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; SPLUNK - TRANS(TCP) Recommended
; ---------------------------------------------------------------------
;SERVER ip.addr.example TRANS(TCP) MAXMSG(3000) ; You MUST edit per doc
; ---------------------------------------------------------------------
; AMIJSON - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.Log.Service.URL
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
;TIME UTC +
; DUR(ISO8601_T) +
; TIMEOFDAY('%Y-%m-%dT%H:%M:%S.%Q3Z') +
; ZONE('CST6CDT') ; Review TIME statement ZONE parameter
; ---------------------------------------------------------------------
; INFLUXDB - TRANS(REST) Required
; ---------------------------------------------------------------------
;SERVER BMC.HELIX.InfluxDB.Service.URL +
; APIKEY(123-456-7890) +
; TRANS(REST) MAXMSG(32768)
; ---------------------------------------------------------------------
; KAFKA - TRANS(KAFka) Required
; ---------------------------------------------------------------------
;SERVER broker.address.example:port +
; KAFKA_SSL_Conf( + ; Optional SSL config
; ssl.keystore.location(filepath) +
; ssl.keystore.password(filepath) +
; ssl.ca.location(filepath)) +
; TOPIC(topicname ) +
; TRANS(KAFKA) MAXMSG(32768)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired
; ---------------------------------------------------------------------
; TIME UTC DUR(ISO8601_T) TIMEOFDAY(ISO8601_T) ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment and edit the following TIME statement if desired extra
; precision
; ---------------------------------------------------------------------
; TIME UTC DUR(' %H:%M:%S:%Q6 ') TIMEOFDAY('%d%b%Y %H:%M:%S:%Q6') +
; ZONE(TZ)
; ---------------------------------------------------------------------
; Uncomment the following lines if you want a local (on CZAGENT's LPAR)
; copy of the transmitted Syslog messages. See "The LOCAL Statement"
; in "Appendix A: Parameter File Reference" of the CZAGENT Users Manual
; The parameter values shown are defaults and may not be optimal for
; your installation.
; ---------------------------------------------------------------------
; LOCAL DATASET(*) +
; FOLD(133) +
; MOD +
; REOPEN(MIDNIGHT) +
; SPACE(TRK 10 10 0)
; ---------------------------------------------------------------------
; Uncomment the following to enable XCF communication
; between BMC AMI Datastream for z/OS servers
; ---------------------------------------------------------------------
SYSPLEX +
GROUPNAME(AMIZOS) ; Sysplex group name
Specifying the configuration type
With the PARM file member named $$$CONFG, you can control the SIEM type and other optional record definitions by setting switches.
To enable the SIEM type and other record definitions, uncomment (remove the leading semicolon) the required switches. Ensure that you enable only one SIEM type.
The following code shows the $$$CONFG member:
;**********************************************************************;
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.02 Updated 19 Nov 2024"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(IAM) ; BMC AMI Storage IAM
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For LOADFILE
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
; SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from LOADFILE
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(HFTS) ; Enable HFTS data SMF 98
; SWITCH ON(SRMC) ; Enable SRM data SMF 99
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
; SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
; SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
; SWITCH ON(RACFCmd) ; Enable RACF Command Intercept
;**********************************************************************;
; $$$CONFG: Field configuration member for BMC AMI Datastream ;
; This is a copy of CZDCONFG and made available for ;
; user modification. It will be included in CZDEFINE ;
; SIEMTYPE-independent ;
; Copyright (c) 2014-2025 BMC Software, Inc. ;
; DRAID-882 - Added SIV option switch ;
;**********************************************************************;
;**********************************************************************;
SAY "v7.1.02 Updated 19 Nov 2024"
;**********************************************************************;
; Do NOT place any statements in this member unless they are acceptable
; BOTH as definition and parameter statements as this member is
; used by both CZDEFINE and CZAPARMS.
;**********************************************************************;
;**********************************************************************;
; Switches for setting the SIEM type. Uncomment ONE and ONLY ONE of the
; following statements
;**********************************************************************;
; SWITCH ON(RFC3164) ; Uncomment for SIEM type RFC 3164
; SWITCH ON(CEF) ; Uncomment for SIEM type CEF
; SWITCH ON(JSON) ; Uncomment for SIEM type JSON
; SWITCH ON(LEEF) ; Uncomment for SIEM type LEEF
; SWITCH ON(Splunk) ; Uncomment for SIEM type Splunk
; SWITCH ON(DAM) ; Uncomment for SIEM type DAM
; SWITCH ON(AMIJSON) ; Uncomment for SIEM type AMIJSON
; SWITCH ON(INFLUXDB) ; Uncomment for SIEM type INFLUX_DB
;**********************************************************************;
; Switches for the inclusion of various optional support
; Uncomment as desired by replacing the semi-colon (;) in column 1
; with a space.
;**********************************************************************;
; SWITCH ON(Abend-AID) ; Compuware Abend-AID
; SWITCH ON(Action) ; Action Software EventAction SMF Type 249
; SWITCH ON(SessMon) ; BMC Security Session Monitor
; SWITCH ON(ChangeMan) ; Micro Focus ChangeMan
; SWITCH ON(SS) ; SuperSession
; SWITCH ON(IAM) ; BMC AMI Storage IAM
; SWITCH ON(BACKLOG) ; BACKLOG messages
; SWITCH ON(CONSOLE) ; Selected CONSOLE messages
; SWITCH ON(VMCON) ; Selected VM Console Messages
; SWITCH ON(VMSEC) ; Selected VM Secure Messages
; SWITCH ON(VMRACF) ; VM SMF 80 RACF fields
; SWITCH ON(GENERIC) ; For LOADFILE
; SWITCH ON(IND$FILE) ; API1 IND$FILE
; SWITCH ON(JOBLOG) ; Process local/JOBLOG SYSOUT
; SWITCH ON(LOCALJL) ; Enable Local JOBLOG support
; LOCALJL requires JOBLOG switch
; SWITCH ON(LSPACE) ; LSPACE DASD Freespace Monitoring
; SWITCH ON(MODIFY) ; MODIFY from API1--see manual
; SWITCH ON(BMCAMI) ; BMC AMI IND$FILE SMF 202 records
; SWITCH ON(DIAG) ; Diagnostic message display
; SWITCH ON(IFCID002) ; DB2 IFCID 002
; SWITCH ON(IFCID003) ; DB2 IFCID 003
; SWITCH ON(IFCAPPT) ; DB2 APPTUNE IFCID records
; SWITCH ON(MQ) ; SMF Type 115 and 116 (MQ Series)
; SWITCH ON(RMF) ; RMF: SMF Types 70 through 79
; SWITCH ON(JES) ; JES2/3 SMF types 26, 43, 55-58
; SWITCH ON(JES3) ; Executing in Jes3 environment
; SWITCH ON(OA57466) ; IF APAR OA57466 applied (SMF26)
; SWITCH ON(DFSORT) ; DFSORT SMF 16 Records
; SWITCH ON(TSO) ; SMF 32 and 119
; SWITCH ON(USS) ; SMF 109
; SWITCH ON(CRYPTO) ; SMF 82
; SWITCH ON(SYSLOGGER) ; Enable System Logger SMF type 88
; SWITCH ON(SMF113) ; SMF Type 113
; SWITCH ON(SMF30CPU) ; SMF Type 30 CPU reporting
; SWITCH ON(SMF30STO) ; SMF Type 30 Storage reporting
; SWITCH ON(SMF30CTS) ; SMF Type 30 Crypto & NNPI Counters Section
; SWITCH ON(SMF30CNR) ; SMF Type 30 Container Section
; SWITCH ON(SMF89) ; SMF Type 89
; SWITCH ON(IMSLOG) ; IMS Log Record Events
; SWITCH ON(IMSConn) ; IMS Connect Events
; SWITCH ON(LOG4J) ; Log4j data from LOADFILE
; SWITCH ON(VSAM) ; Enable VSAM SMF types 60/62/64
; SWITCH ON(RACF) ; Enable RACF Type 80/81/83/1154
; SWITCH ON(TOPSECRET) ; Enable TopSecret Record types 80/231
; SWITCH ON(ACF2) ; Enable ACF/2 Record data/type 230
; SWITCH ON(OPS) ; Enable Operations Events
; SWITCH ON(FAM) ; Enable File Access Monitoring
; SWITCH ON(HFTS) ; Enable HFTS data SMF 98
; SWITCH ON(SRMC) ; Enable SRM data SMF 99
; SWITCH ON(ICF) ; Enable Integrated Catalog Facility
; SWITCH ON(DEVICE) ; Enable Device SMF types 8, 9, 11 and 22
; SWITCH ON(DIVVLF) ; Enable DIV objects and VLF stats SMF type 41
; SWITCH ON(DB2) ; Enable DB2 SMF 100, 101, 102 collection
; SWITCH ON(CICS) ; Enable CICS SMF 110 collection
; SWITCH ON(IBMHttp) ; IBM HTTP Server SMF Type 103
; SWITCH ON(WebSphere) ; Enable WebSphere SMF Type 120
; SWITCH ON(HMC) ; HMC SMF Type 106 BCPii
; SWITCH ON(CD) ; Connect Direct SMF 132
; SWITCH ON(SPM) ; Policy Manager data
; SWITCH ON(AUTOMATE) ; Enable Alert Automation
; SWITCH ON(RECEIVER) ; Enable VM Receiver
; SWITCH ON(AMIOPS) ; AMI Ops Events
; SWITCH ON(AOPSMIMS) ; AMI OpsM for IMS SMF record
; SWITCH ON(PAM) ; Privileged Access Manager
; SWITCH ON(SIV) ; System Integrity Violation Scanner
; SWITCH ON(SRCC) ; Proclib/Parmlib changes (Requires SIV)
; SWITCH ON(USRSRCC) ; Userlib changes (Requires SIV and SRCC)
; SWITCH ON(USSENRICH) ; USS Privileges Enrichment
; SWITCH ON(LOADFILE) ; Loadfile Events
; SWITCH ON(SMF123) ; SMF Type 123
; SWITCH ON(IEFU86) ; Enable the IEFU86 Exit
; SWITCH ON(SSCmd) ; Enable Sub System Command Intercept
; SWITCH ON(RACFCmd) ; Enable RACF Command Intercept
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*